Investments In Antivirus Software Are Paying Off

Five years ago, when few critical business systems were exposed to the Web, Melissa, the first mass-mailing virus, hit, causing about $1.5 billion in damages worldwide. A year later, the Love Bug mass-mailer struck and cost businesses even more, an estimated $8.75 billion in damages.

When Love Bug struck, hundreds of government agencies and businesses reportedly shut down their E-mail systems to contend with and contain the attack. News circulated that Capitol Hill and the British Parliament took their E-mail systems offline, while companies such as AT&T and Ford Motor Co. supposedly shut down their messaging systems, too.

Nowadays, few companies are forced to take such drastic actions when a virus strikes, yet there's no reprieve from the attacks. The worldwide cost of MyDoom, which hit this year, is being put at $4 billion. This equals damages from the SoBig.F virus in 2003 and SQL Slammer worm in 2004 combined.

Yet there's good news. According to research company Computer Economics, the worldwide cost of major virus outbreaks last year totaled $12.5 billion. While that figure edged past 2002's $11.1 billion, it's much lower than the $17.1 billion in 2000.

Computer Security Institutes' CSI/FBI 2003 Computer Crime and Security Survey reveals that, at $27 million, the costs associated with virus outbreaks hit an all-time low, too, down from nearly $50 million in 2002 and $45 million reported in 2001. So although companies, on average, spend less than 2% of their total information-security budget on security software, investments in securing desktop and E-mail services with antivirus software are paying off.

Computer Economics' survey on information-systems spending found that companies with annual revenue of less than $250 million spent an average of 1.7% of their total IS budget on security software in 2003, slightly ahead of the 1.5% spent at companies with revenue of $250 million to $750 million or the 1.6% spent by businesses with $750 million or more in annual revenue. Investment in security hardware was less: 1.5% of the IT budget for companies with revenue of less than $250 million and 1.3% for companies with revenue of $250 million or more.

Interested in knowing how cutting edge your company's security practices are? Participate in InformationWeek's security survey, available now online at informa tionweek.com/surveys/global04.

George V. Hulme
Senior Editor, Security
[email protected]

Damage Estimates

What's the financial impact of the major virus attacks?

Cloaked behind subject lines such as "Read This," MyDoom is one of the most recent in a long string of E-mail-embedded worms to test the response time of network administrators--but it isn't the most costly attack ever. That dishonor goes to Love Bug, which hit in 2000 and, according to Computer Economics, caused nearly $9 billion in damage.